Keycloak 26.5.7 — 7 CVEs patched, two of them critical
· Security · IDPTrust
Keycloak 26.5.7 was released on April 2, 2026. This is almost entirely a security release — 7 CVEs addressed in a single drop. If you run Keycloak in production, this update is not optional.
Here is a breakdown of what was fixed and how severe each issue is.
Critical — patch immediately
CVE-2026-4282 · CVSS 7.4 (High) — Privilege escalation via forged authorization codes
The SingleUseObjectProvider component, a global key-value store used internally by Keycloak, lacks proper type and namespace isolation. An unauthenticated attacker can exploit this flaw to forge authorization codes and use them to obtain admin-capable access tokens — without credentials and without user interaction.
This is the most dangerous vulnerability in this release. No authentication required, no user interaction required, and successful exploitation gives an attacker full administrative control over your Keycloak instance.
What to check: Review any external network exposure of your Keycloak endpoints. Ensure your instance is updated before anything else.
CVE-2026-3872 · CVSS 7.3 (High) — Redirect URI validation bypass via path traversal
A flaw in how Keycloak validates redirect URIs with wildcard patterns allows an attacker who controls any other path on the same web server to bypass the allowed-path restriction using a ..;/ sequence in the OIDC authorization endpoint. A successful exploit leads to access token theft.
What to check: If your Keycloak instance shares a hostname with other applications, this is especially relevant. Review your redirect URI configurations and ensure wildcard patterns are as restrictive as possible.
High — review your setup
CVE-2026-4636 — UMA policy injection allows cross-user permission grants
An authenticated user can inject a resource reference into a UMA policy in a way that grants them unauthorized access to resources owned by other users. Affects deployments using UMA 2.0 for resource sharing.
CVE-2026-3429 — Improper LoA control during credential deletion (Account API)
The Account REST API does not properly enforce the required Level of Assurance when a user deletes a credential. This can be exploited to remove MFA factors and take over an account without meeting the authentication requirements the policy requires.
CVE-2026-4634 — Application-level DoS via scope processing
Keycloak does not adequately limit the processing of OpenID Connect scope parameters. An unauthenticated attacker can send crafted requests that cause excessive processing, degrading the availability of the instance without requiring any credentials.
Moderate
CVE-2025-14083 — Information disclosure via Admin REST API
A user holding only the create-client permission — considered low-privilege by design — can access the /admin/realms/master/users/profile endpoint and read internal user profile schema data, including attribute names, validation rules, and permission mappings.
CVE-2026-1002 — Vert.x static file cache manipulation
The static file handler in the underlying Vert.x framework can have its cache manipulated in a way that denies legitimate access to static resources. Upgraded in this release via the Quarkus 3.27.3 dependency update.
Additional changes
- Quarkus upgraded to 3.27.3.
- One bug fix: calls without a
Hostheader no longer throw an uncaught error.
Should you update?
Yes, and soon. Two of these CVEs require no authentication to exploit. The attack surface is any Keycloak instance reachable over the network.
If you are running a version older than 26.5.7 — or worse, still on a WildFly-based distribution — this release is a good reminder that staying current is not just good practice, it is a security requirement.
Full release notes: keycloak.org/2026/04/keycloak-2657-released
At IDPTrust we specialize in Keycloak in production. If you need help assessing the impact of this release on your setup or planning an upgrade, get in touch.